In the spirit of trust, transparency and open source collaboration I am publishing the setup, scripts and configuration details on github: https://github.com/pysiak/dnscrypt.pl
Infrastructure and setup
Your queries arrive at one of the 3 rust-based encrypted-dns-server instances. All instances share a no log setup and default cache settings for 100k entries. The only differ in blocklists applied:
- dnscrypt.pl is poz1.dnscrypt.pl:2053 has 0 blocklists
- dnscrypt.pl-guardian is poz1.dnscrypt.pl:2054 has 6 sources of blocklists
They share the same whitelist and unbound configuration: https://github.com/pysiak/dnscrypt.pl/tree/main/configs
If your query is not satisfied by the cache at this level it is forwarded to a locally running a DNSSEC-enabled unbound instance which has its own cache and if the query is not satisfied, it is being resolved from the root name servers. No forwarding upstream.
All encrypted-dns-server instances produce metrics which are being pulled from a prometheus instance and grafana server is pulling from prometheues.
The manual blocks include such stuff as:
- CARBANAK APT – THE GREAT BANK ROBBERY
- The Mask – DNS and IP filtering as per Kaspersky Paper
- SOHO Farming – A Team Cymru EIS Report: Growing Exploitation of Small Office Routers Creating Serious Risks
- Hacking Team and Gamma International in “Business-to-Government Malware”. (Story, Report)
- Equation Group: Question and Answers, Version: 1.5, February 2015 #EquationAPT #TheSAS2015 – Kaspersky Labs